Wireless Access

Reply
Regular Contributor I
Posts: 181
Registered: ‎10-20-2010

Web Authentication is Disabled

I need some help please.  Guest users have been reporting a Web Authentication is Disabled error after authenticating to the CP page.  Although they get the error they have successfully been put into the correct authenticated role and if they ignore this message they can browse the net.  I am not sure when this started but its a global issue.

Recent changes

New SSL cert on all controllers for securelogins.fluor.com
Captive portal ACL change added two permit lines to the acl for CPPM.  Tried taking these out had the same issue.
Changed AmigoPod to CPPM last night and I am not 100% sure but I was told this issue predates that change.

I was told Aruba support did some test with a test CP page and authentication role and everything works.  Leads me to believe I have a configuration error.  BTW this worked as is for a year plus on the same AOS. 

 

Running AOS 6.1.3.7 on 70 controllers all models.  Same issue globally able to reproduce. 

 

 

 

aaa authentication captive-portal "amigopod"
   default-role "ShortTerm"   <<<  one or two authenticated guest roles
   server-group "AmigoPods"
   login-page "https://guestaccess.fdnet.com/fluor_guestmanage_cert_login.php"

aaa server-group "AmigoPods"
 auth-server AmigoPod
 set role condition Filter-Id equals "ShortTerm" set-value ShortTerm  <<<<  David added these years ago when we installed AmigoPod.  I dont think they are needed now with CPPM based on new setup Steve did.  Not sure.
 set role condition Filter-Id equals "LongTerm" set-value LongTerm  <<<<  David added these years ago when we installed AmigoPod.  I dont think they are needed now with CPPM based on new setup Steve did.  Not sure.
!


ip access-list session captiveportal
  user   alias mswitch svc-https  dst-nat 8081
  user   alias controller svc-https  dst-nat 8081
  user   alias CPPM svc-http  permit   <<<<  Newer addition
  user   alias CPPM svc-https  permit  <<<<  Newer addition
  user any svc-http  dst-nat 8080
  user any svc-https  dst-nat 8081
  user any svc-http-proxy1  dst-nat 8088
  user any svc-http-proxy2  dst-nat 8088
  user any svc-http-proxy3  dst-nat 8088


user-role Guest-Logon-AP  <<<  Unauthenticated initial role  no changes worked for a year+
 captive-portal "amigopod"
 access-list session Guest-Logon-Policy
 access-list session Guest-Printing
 access-list session guest-pw-portal
 access-list session captiveportal



user-role LongTerm  <<<  one or two authenticated guest roles
 access-list session Guest-Logon-Policy
 access-list session Guest-Printing
 access-list session guest-pw-portal
 access-list session cplogout
 access-list session deny_LLMNR_acl
 access-list session deny_mDNS_acl
 access-list session deny_SSDP_and_UPnP_acl
 access-list session deny_netbios_acl
 access-list session inside-exceptions
 access-list session Block-Inside-Networks-Policy
 access-list session Guest-Access-Policy




user-role ShortTerm   <<<  one or two authenticated guest roles
 access-list session Guest-Logon-Policy
 access-list session Guest-Printing
 access-list session guest-pw-portal
 access-list session cplogout
 access-list session deny_LLMNR_acl
 access-list session deny_mDNS_acl
 access-list session deny_SSDP_and_UPnP_acl
 access-list session deny_netbios_acl
 access-list session inside-exceptions
 access-list session Block-Inside-Networks-Policy
 access-list session Guest-Access-Policy


 

 

(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #show user | include 08:70:45:ca:b5:ae
10.236.116.21   08:70:45:ca:b5:ae  test@fc01.com     LongTerm           00:01:24    Web               FC01-TGUB12-AP01  Wireless  IWL900/6c:f3:7f:3e:b6:00/g-HT   AAA-Guest-Logon        tunnel        iPhone

(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #
(FLRFC01-Aruba01) #show rights LongTerm

Derived Role = 'LongTerm'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 89/0
 Max Sessions = 65535


access-list List
----------------
Position  Name                          Location
--------  ----                          --------
1         Guest-Logon-Policy            
2         Guest-Printing                
3         guest-pw-portal               
4         cplogout                      
5         deny_LLMNR_acl                
6         deny_mDNS_acl                 
7         deny_SSDP_and_UPnP_acl        
8         deny_netbios_acl              
9         inside-exceptions             
10        Block-Inside-Networks-Policy  
11        Guest-Access-Policy           

Guest-Logon-Policy
------------------
Priority  Source  Destination                Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------                -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                        udp 68    deny                             Low                                                           4
2         user    Fluor-Approved-Public-DNS  svc-dns   permit                           Low                                                           4
3         user    mswitch                    svc-icmp  permit                           Low                                                           4
4         any     guest-gateways             svc-dhcp  permit                           Low                                                           4
5         any     255.255.255.255            svc-dhcp  permit                           Low                                                           4
6         any     any                        svc-dhcp  deny                             Low                                                           4
Guest-Printing
--------------
Priority  Source          Destination     Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------          -----------     -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         guest-networks  guest-printers  any      permit                           Low                                                           4
2         guest-printers  guest-networks  any      permit                           Low                                                           4
guest-pw-portal
---------------
Priority  Source  Destination  Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    amigopods    svc-https  permit                           Low                                                           4
2         user    amigopods    svc-http   permit                           Low                                                           4
cplogout
--------
Priority  Source  Destination  Service    Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    mswitch      svc-https  dst-nat 8081                           Low                                                           4
2         user    controller   svc-https  dst-nat 8081                           Low                                                           4
deny_LLMNR_acl
--------------
Priority  Source  Destination      Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------      -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     239.255.255.252  any      deny                             Low                                                           4
deny_mDNS_acl
-------------
Priority  Source  Destination  Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          udp 5353  deny                             Low                                                           4
deny_SSDP_and_UPnP_acl
----------------------
Priority  Source  Destination      Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------      -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     239.255.255.250  any      deny                             Low                                                           4
2         any     239.255.255.253  any      deny                             Low                                                           4
deny_netbios_acl
----------------
Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         any     any          udp 137  deny                             Low                                                           4
2         any     any          udp 138  deny                             Low                                                           4
inside-exceptions
-----------------
Priority  Source  Destination             Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------             -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    Fluor-Websense-Servers  tcp 15871  permit                           Low                                                           4
2         user    mswitch                 svc-https  permit                           Low                                                           4
3         user    10.25.2.38              svc-http   permit                           Low                                                           4
4         user    10.26.14.40             svc-http   permit                           Low                                                           4
5         user    10.252.149.190          any        permit                           Low                                                           4
Block-Inside-Networks-Policy
----------------------------
Priority  Source           Destination      Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------           -----------      -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user             inside-networks  any      deny                             Low                                                           4
2         inside-networks  user             any      deny                             Low                                                           4
Guest-Access-Policy
-------------------
Priority  Source  Destination  Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any          svc-http   permit                           Low                                                           4
2         user    any          svc-https  permit                           Low                                                           4
3         user    any          any        permit                           Low                                                           4

Expired Policies (due to time constraints) = 0

(FLRFC01-Aruba01) #

 

 

 

 

 

Regular Contributor I
Posts: 181
Registered: ‎10-20-2010

Re: Web Authentication is Disabled

BTW I have a case open on his and was told I am hitting a known bug but I refuse to accept that considering it all worked up to a short time ago.  They are looking at captures.  I searched the post here I dont see any that apply.  It looks set up correctly.  Looking for other ideas please.

 

 

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Web Authentication is Disabled

[ Edited ]

In your captive portal profile, do you have user authentication and/or guest authentication enabled?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,794
Registered: ‎03-29-2007

Re: Web Authentication is Disabled

ascott,

 

There were a number of issues that caused that problem in the past, and it was intermittent.  I have not seen it on the latest versions of code, however.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 181
Registered: ‎10-20-2010

Re: Web Authentication is Disabled

Issue resolved. It was related to the AmigoPod to CPPM upgrade. I was told the issue started before the upgrade but after more info collection that was not the case and it started after the upgrade.

 

Normally when we migrate from Amigopod to CPG, you need to modify the controller’s CP profile to point to “/guest” directory.

 

aaa authentication captive-portal "amigopod"
default-role "ShortTerm"
server-group "AmigoPods"
login-page https   /guestaccess.fdnet.com /
guest / fluor_guestmanage_cert_login.php

 

 

Hope this helps someone.  Sure glad I didn't AOS upgrade 70 controllers per Aruba "bug"  :-)

Search Airheads
Showing results for 
Search instead for 
Did you mean: